Re: [OPSAWG] 2nd try: how many SBOMs do we need to locate and discover?
Eliot Lear <lear@cisco.com> Thu, 15 April 2021 11:46 UTC
Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CB43A1B5A for <opsawg@ietfa.amsl.com>; Thu, 15 Apr 2021 04:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.587
X-Spam-Level:
X-Spam-Status: No, score=-9.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, T_MIME_MALF=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pw-Wz5QhZGOc for <opsawg@ietfa.amsl.com>; Thu, 15 Apr 2021 04:46:48 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C563A1CB2 for <opsawg@ietf.org>; Thu, 15 Apr 2021 04:46:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21100; q=dns/txt; s=iport; t=1618487207; x=1619696807; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=CjQk637TMDXabp8vOD+rvMCJTZ2Ka5BxF7VTLQKdb5c=; b=SeVPRLIkTbB4JhIvXXenQxMIqayA4LXVehUi+BsS8s1a6qYShxD4WQ1i eiavfQvt8d2m7kNAxAMihZXkMLWnBjRVqYpx1CYXVU8iOgDzRJEduazDj usG4aMLYH0tozU263XrMVpD3XmtH7Yv4mZzHYksk8U19wRc08Vahn0KBf Y=;
X-Files: signature.asc : 488
X-IPAS-Result: A0BGAAAaJ3hg/xbLJq1XAxkBAQEBAQEBAQEBAQEBAQEBAQESAQEBAQEBAQEBAQEBghKBI4F/VgEnEjGEQ4kEiGwDh3uHLYUehjiBaAQHAQEBCgMBASgMBAEBgVuCdQKBdCY4EwIDAQEBAwIDAQEBAQEFAQEBAgEGBHEThVANhkQBAQEDASMERQoDBQcECxEDAQEBASoCAkkBBQgGE4JxAYJmIQ+qYXl/M4EBg0MFgRCFCxCBOQGBUoUeDwGGUwg7gguBEyccgl8+gmABAxiBCAkBDwMBCTgBJoJQNYIrBIIEPDRABQMZKwEUDDMFDhUdAwQtDQUkAQsoDwIcFJBCEgcrjEebc4EUgxaDP4FGhGKTHQQflDGQSpJBjkWSNzALVAGEAQIEBgUCFoFrI2leCwczGggbFWUBgj4JNRIZDlWNUwgRg06Bf4hcPwMvAgEBNAIGAQkBAQMJjQ4BAQ
IronPort-HdrOrdr: A9a23:RWlVmqn7jrKkyXSDtnauXpPOPjzpDfKu3DAbvn1ZSRFFG/Gwvc rGpoV56TbfjjENVHY83e2RIaXoex/h3LN8/IV5B9afdSb8vm/AFutfxKvkhwbtAijvstNavJ 0BT4FbBMfrBVZ3yeb2iTPUL/8FwN2KtJ+lnv3fyXAFd25XQppt5Qt4FQqXe3ceLGJ7LKE0G5 aG6s1MqyDIQwVzUu2AGnIHU+LfzuekqLvaZ3c9dnwawTjLqTup7bLgeiLouis2Yndo3aoo93 TDnkjf4Kiu2svLrCP05iv084lcnsfnx594IPG0zuIRKjnql2+TFeNcZ4E=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,223,1613433600"; d="asc'?scan'208,217";a="32635765"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Apr 2021 11:46:42 +0000
Received: from [10.61.144.121] ([10.61.144.121]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 13FBkfmj020450 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 15 Apr 2021 11:46:42 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <B71E26C8-D89A-4B51-9E33-A8961DE15222@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_F98ECDBB-E343-4E55-A619-5C21373789B9"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Thu, 15 Apr 2021 13:46:41 +0200
In-Reply-To: <03e201d73148$b7f349e0$27d9dda0$@reliableenergyanalytics.com>
Cc: opsawg <opsawg@ietf.org>
To: Dick Brooks <dick@reliableenergyanalytics.com>
References: <70EA8ACD-B546-43A1-BC8C-A34B30A8FA4F@cisco.com> <03e201d73148$b7f349e0$27d9dda0$@reliableenergyanalytics.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.144.121, [10.61.144.121]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/QskK2Rq40h9o9ci-LwGzaM7s_U8>
Subject: Re: [OPSAWG] 2nd try: how many SBOMs do we need to locate and discover?
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Apr 2021 11:46:53 -0000
> On 14 Apr 2021, at 18:10, Dick Brooks <dick@reliableenergyanalytics.com> wrote: > > Hi Eliot, > > This information is being provided as justification to support multiple SBOM's that may be required to conduct a comprehensive software supply chain risk assessment. I propose adding a new component level data element, called SBOMURL at the component level to enable discovery and access to a SBOM object to provider context needed to conduct a more extensive vulnerability search I think this is something that is internal to the SBOM. I think those sorts of references are possible today, and don’t require further discovery, which is really what we’re talking about here. So for instance, see spdxDocument at spdx.dev. Thus, you could imagine a flow like the following: >> get /.well-known/sbom http/1.1 >> Accept: */* << 200 sure have at it Date: Thu, 15 Apr 2021 11:41:46 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 06 Feb 2021 09:23:36 GMT ETag: "1eb4-5baa77dc923db" Accept-Ranges: bytes Content-Length: 147860 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/spdx+xml Then looking at the SBOM itself, one could easily envision a reference within the SPDX file, in which case one GETs that as well. For an “extrapolated” SBOM, there’s no discovery because you’re not retrieving the SBOM, but generating it. Eliot > > I encountered this issue when testing SAG-PM (TM). > > Scenario: A new openssl bug is reported and I perform a software risk assessment using an SBOM that I know contains openssl; https://nvd.nist.gov/vuln/detail/CVE-2021-3450 a NIST NVD search of the filenames listed in the SBOM fails to detect the newly reported vulnerability, resulting in a false negative result. > > An "extrapolated" SBOM , created by SAG-PM (TM) using the binary installation package, lists the components that are present in the software package being analyzed, including these two entries for openssl: > > It's impossible to know that these two components are part of the openssl package, from the filename information in the installation file. This is where an SBOMURL "tag", associated with each file, could provide the missing context. > > FileName: libeay32.dll > SPDXID: SPDXRef-c752fdaa-b140-46ab-a564-2934d73c790d > FileType: BINARY > FileChecksum: SHA1: 731d2a30790eece1f7ef54dd3e7774d65c09a298 > LicenseConcluded: NOASSERTION > LicenseInfoInFile: NOASSERTION > FileCopyrightText: NOASSERTION > > FileName: ssleay32.dll > SPDXID: SPDXRef-8381311b-8222-4ae7-a2d6-0c7815d92514 > FileType: BINARY > FileChecksum: SHA1: 731d2a30790eece1f7ef54dd3e7774d65c09a298 > LicenseConcluded: NOASSERTION > LicenseInfoInFile: NOASSERTION > FileCopyrightText: NOASSERTION > > > > A NIST NVD vulnerability scan on the software components listed in the SBOM fails to detect the newly reported openssl CVE; see NVD results below: > > ----->Searching NISTNVD using: https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=libeay32.dll > ---------->Total NIST NVD Vulnerabilities Found: 2 > CVE: ID: CVE-2019-12572 CVSS: 7.8 Description: A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client 1.0.2 (build 02363) for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. On startup, the PIA Windows service (pia-service.exe) loads the OpenSSL library from %PROGRAMFILES%\Private Internet Access\libeay32.dll. This library attempts to load the C:\etc\ssl\openssl.cnf configuration file which does not exist. By default on Windows systems, authenticated users can create directories under C:\. A low privileged user can create a C:\etc\ssl\openssl.cnf configuration file to load a malicious OpenSSL engine library resulting in arbitrary code execution as SYSTEM when the service starts. > Press Enter to continue vulnerability search, s to skip to next component or q to exit: > CVE: ID: CVE-2019-19741 CVSS: 7.8 Description: Electronic Arts Origin 10.5.55.33574 is vulnerable to local privilege escalation due to arbitrary directory DACL manipulation, a different issue than CVE-2019-19247 and CVE-2019-19248. When Origin.exe connects to the named pipe OriginClientService, the privileged service verifies the client's executable file instead of its in-memory process (which can be significantly different from the executable file due to, for example, DLL injection). Data transmitted over the pipe is encrypted using a static key. Instead of hooking the pipe communication directly via WriteFileEx(), this can be bypassed by hooking the EVP_EncryptUpdate() function of libeay32.dll. The pipe takes the command CreateDirectory to create a directory and adjust the directory DACL. Calls to this function can be intercepted, the directory and the DACL can be replaced, and the manipulated DACL is written. Arbitrary DACL write is further achieved by creating a hardlink in a user-controlled directory that points to (for example) a service binary. The DACL is then written to this service binary, which results in escalation of privileges. > > > ----->Searching NISTNVD using: https://services.nvd.nist.gov/rest/json/cves/1.0?keyword=ssleay32.dll > ---------->Total NIST NVD Vulnerabilities Found: 1 > CVE: ID: CVE-2010-5232 CVSS: 6.9 Description: Untrusted search path vulnerability in DivX Plus Player 8.1.0 allows local users to gain privileges via a Trojan horse ssleay32.dll file in a certain directory. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. > Press Enter to continue vulnerability search, s to skip to next component or q to exit: > > Thanks, > > Dick Brooks > > Never trust software, always verify and report! ™ > http://www.reliableenergyanalytics.com > Email: dick@reliableenergyanalytics.com > Tel: +1 978-696-1788 > > -----Original Message----- > From: OPSAWG <opsawg-bounces@ietf.org> On Behalf Of Eliot Lear > Sent: Wednesday, April 14, 2021 11:41 AM > To: opsawg <opsawg@ietf.org> > Subject: [OPSAWG] 2nd try: how many SBOMs do we need to locate and discover? > > It seems that my mail system ate my first attempt at this. > > One of the questions I raised in the opsawg meeting was how many SBOMs we would need to be able to retrieve. I am looking for use cases where there would be more than one. To me, I think the place to look is around VMs and containers, where the SBOM might be internalized. But that’s just one model. Another model would be that the container SBOM is hierarchically incorporated into the overall device SBOM. If that is done by reference, then I guess we get more than one. And every time we try to define what a device is at the IETF we seem to get burned if the model is not flexible. > > Thoughts? > > Eliot >
- [OPSAWG] 2nd try: how many SBOMs do we need to lo… Eliot Lear
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Dick Brooks
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Patrick Dwyer
- Re: [OPSAWG] 2nd try: how many SBOMs do we need t… Eliot Lear